Back to list

Medium CINC-20251221-C8F9375F new

Aggregate ID: aggind:024efd237c2d4f87958607652cb04c8b:17475897462

Incident ID CINC-20251221-C8F9375F

Severity Medium (70)

Status new

Alert Count 5

Host Count 1

First Seen 2025-12-22 05:12:17

Last Seen 2025-12-22 05:13:15

Duration 0d 0h 0m

Created 2025-12-22 08:36

Updated 2026-01-13 15:14

Rec... Ini... Exe... Per... Pri... Def... Cre... Dis... Lat... Col... Com... Exf... Imp...

Observed Tactics:

Techniques:

Severity	Status	Hostname	Description	Tactic	Command Line	Time
Informational	new	BOOK-R0BE6S1NC3	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"C:\app\cortex-xdr-siem-test\.venv\Scripts\python.exe" mega_incident_generator.py --rounds 2 --interval 30	12-22 05:13
High	new	BOOK-R0BE6S1NC3	A command line indicates an attempt to hijack a remote desktop protocol session. Review the process tree.	Lateral Movement	C:\windows\system32\cmd.exe /c "tscon 1 /dest:rdp-tcp#0"	12-22 05:13
High	new	BOOK-R0BE6S1NC3	A process appears to be launching mimikatz, a password dumping utility. mimikatz's primary purpose is to steal passwords. If credentials were dumped, change your passwords and investigate further.	Credential Access	C:\windows\system32\cmd.exe /c "powershell -c "sekurlsa::logonpasswords""	12-22 05:13
High	new	BOOK-R0BE6S1NC3	A CMSTP.exe process appears to have been supplied with a suspicious INF file. CMSTP.exe may be abused to load and execute DLLs andor COM scriptlets SCT from remote servers. Review the command line.	Defense Evasion	cmstp /s /ns C:\Users\ubuntu\AppData\Local\Temp\test.inf	12-22 05:13
Informational	new	BOOK-R0BE6S1NC3	A process has written a known EICAR test file. Review the files written by the triggered process.	Execution	"C:\app\cortex-xdr-siem-test\.venv\Scripts\python.exe" mega_incident_generator.py --rounds 2 --interval 30	12-22 05:12